Embracing Security by Design: Constructing a More Secure Framework

A starting point for any security initiative is to recognize an inconvenient truth: No tool or solution is perfect, and the weakest link is often the human element. People click malicious links, circumvent controls, and find myriad other ways to undermine even the best security systems and technology.

"Many security problems can be linked to the user interface. In many cases, people are not equipped to make security decisions on the fly," observes David Strauss, CTO and co-founder of Web content platform Pantheon.

Too often, he says, organizations design sites, apps, and content for instant consumption with little or no regard for security. "It's simply security theater," he says. "There's little evidence that what the company is doing is having any real impact on security."

These problems range from invalid site certificates that people can simply click through to turning off security warnings or being confronted with an all-or-nothing list of permissions during the install process. Companies often don't explain what a choice means and how it potentially affects site or app performance as well as security.

The accumulation of these issues can undermine faith in a company — and in the online world overall. It's magnified by business that rely on so-called dark patterns, which essentially trick or strong-arm a person and force a response.

"In many respects, UX and security are frenemies," says Tyler Klein, executive experience director at digital design firm Robots & Pencils.

A Focus on UX
As organizations peel back the layers on design security, it quickly becomes apparent that the user interface is only part of the overall UX puzzle. Getting a handle on all the layers is critical.

"You have to start with the question: What is it that you are trying to achieve with technology and with software in general?" says Damilare Fagbemi, founding partner for Resilient Software Security.

This includes questions about who and what requires protection, as well as what type of experience a business is hoping to create. As business, IT, security, and design teams sort through all the issues and collaborate on a secure design strategy, answers about authentication methods, security settings, and how to educate users bubble to the surface.

"This makes it possible to design a user interface that promotes the level of security that an organization deems important," Fagbemi says. It also aids in developing sites, apps, and content that eliminate unnecessary steps that complicate security.

"It's possible to build and deliver the right layers and tiers of security," he adds.

For example, the combination of secure UI and UX elements can discourage or encourage customers to adopt multifactor authentication. A good interface makes it easy to sign up and is tied to convenient tools, such as Google Authenticator or Microsoft Authenticator, that deliver highly secure rolling codes.

Facing Insecurities
What makes UX and UI security so challenging is that it intersects with numerous business processes and elements. Yet this also presents opportunities to use UI and UX more effectively. For instance, it's possible to create a better and more secure buying experience by eliminating the need to manually enter personal information and credit card data. Apple Pay, Amazon Pay, Google Pay, and other services implement a single button and one-click buying process that elicits trust and delivers a highly secure click-and-buy model.

However, it's also important to take a close look at the underpinnings of business processes and how they intersect with UI and UX. This includes limiting what people can see and do — including at the network and database layers — through more elaborate permissions and controls. This approach can simplify processes and reduce the odds that someone can err or misuse a system. Yet, at the same time, it can reduce the risk that a hacker or thief can view assets and enter a network.

Other key UX factors include adapting the security interface to match the device and form factor, setting automatic logoff times with countdown timers as the deadline approaches, building sites with secure HTML5 content, deploying HTTPS everywhere and using other forms of encryption, and minimizing and monitoring ad spaces at websites and in apps. (Since ad elements frequently incorporate external HTML, they pose risks for both a company and customers using the site or app.)

To be sure, there are numerous factors to consider as organizations sort through UI and UX security factors, says Amber Lindholm, head of design for Duo Security at Cisco. This includes setting priorities and then designing sites, apps, and content appropriately. For instance, a social media site or customer review page might embrace an "open by default" mentality to drive usage and engagement, she notes. On the other hand, sites that conduct commerce and hold personal data require a "secure by default" approach.

Protection Schemes
In the end, it's important to recognize the power of design in UI and UX.

"Businesses can use elements to help highlight default or recommended actions or policies, use clear and simple language to explain options, and show previews of what might be expected by different actions," Lindholm explains.

In addition, it's critical to engage in user experience testing with real people and identify what's working, what isn't working, and how to improve.

"You will always find unexpected behaviors or paths of thinking that you haven't planned for or expected," Lindholm says. "Security, like most things, is really more of a human problem than a technical one."